OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Helmuth Antholzer (hellidnet.it)
Date: Sat Jun 02 2001 - 12:00:36 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I found following problem in the WebBoard:
     The Board has a paging function. User A can send a message to user B. User
    B gets a javascript popup (produced with alert()) with the message from user
    A.
    The problem is that user A can close the alert() function and so he can
    execute his javascript code on user B's machine.

    Example of a message wich executes my code:
    \');for(i=0;i<100000;i++) alert("not nice"); //

    There is a function that escapes the ' but if i escape it it will be escaped
    a second time ... the effect is that then the \ will escaped and the alert
    is closed. so after that i can put my code! // (comment) this comment is
    needed becaus there is still a '); from the alert, with the help of the
    commen this will not produce an error.

    greets helli